How much do you think the executive level management of your company understands IT risk? Do they listen when you bring it up or do you get the feeling they’re just humoring you and waiting for the talk to move back to ROI and alignment? You’re not alone: there are plenty of CIOs who feel like other C-suite execs aren’t getting the message when it comes to the importance of risk management. This post by Ericka Chickowski lists 3 ways that you can try to get executives to listen to you about risk, and the first tip is to include return on investment. ROI is a powerful way of explaining just why risk is important, and being able to quantify what avoiding negative consequences can mean for the company is a great way to catch the interest of C-level executives. Cite past costs of security breaches and relate how that money could be used elsewhere. The next tool is to come to the table with threats prioritized against existing business objectives:
CEOs respond well to numbers — but only when they’re framed around what those numbers mean in relation to business objectives and the bottom line. This framing starts first by making sure that the words you’re using are from a business lexicon, not techno dictionary. “Anything really technical we tend to flub because we walk into the CEO’s office and start spouting acronyms,” says Mike Murray, managing partner for consulting firm MAD Security. “And we expect that person to take that and translate it to business speak in their head without realizing that it’s our job to translate it for them in a way they understand.”
The final point Chickowski brings up is that the discussion about risk doesn’t need to be a zero sum game. Determine (with the CEO, for instance), what level of risk appetite your organization has, and what level of risk it’s willing to take. Almost no organization can achieve a completely locked down security from top to bottom, so determining how hard you want to make hackers work, how prepared you are for eventualities, and just how comfortable you are with disrupting workers on a daily basis is a good way to involve the C-suite and still get the discussion to happen.